Oops! Islington Council Blunders Sensitive Data Through Excel Misunderstanding
Council Faces £70k Penalty for Disclosure of Sensitive Data in Freedom of Information Reply
In a head-scratching fiasco, the Islington Borough Council has been hit with a hefty £70,000 fine from the Information Commissioner's Office (ICO). This penalty was levied after the council released highly confidential resident data in response to a Freedom of Information (FOI) request.
Earlier this year, the council responded to an FOI request submitted via WhatDoTheyKnow.com, a popular platform for members of the public to submit such requests. The council's response came in the form of three spreadsheets, which contained the housing needs details of 2,375 residents.
Unfortunately, tucked away in the form of pivot tables within these spreadsheets, private information such as residents' histories of mental illness and experiences of domestic abuse were unveiled — information that could easily be exposed with a "user with basic knowledge of Excel".
Although this data-laden nightmare went unnoticed for three weeks, an administrator eventually recognized the issue, quickly removed the spreadsheets, and alerted the ICO.
The ICO's investigation revealed that while an information governance officer had glanced over the spreadsheets prior to their release, they were unfamiliar with pivot tables and unaware of the concealed data they concealed.
The publicly shared spreadsheets were downloaded a total of seven times.
The ICO concluded that a fine was justified considering the number of affected residents, the sensitive nature of the information, and the council's lack of organizational precautions to prevent such blunders.
In the ICO's penalty notice, Stephen Eckersley, head of enforcement, highlighted the incident's lasting impact: "Councils are trusted with sensitive personal information, and residents are right to expect it to be handled properly. Unfortunately, in this case, that didn't happen, and Islington Council must now explain to residents how they will prevent these mistakes from happening again."
Islington Council does not intend to contest the fine. In a statement, they expressed their regret over the alarm and distress caused and described their efforts to put more stringent checks in place and provide additional training to their FOI responding staff.
Data breaches like this one, often caused by understanding gaps in how Excel stores sensitive data, are becoming increasingly significant concerns for public authorities as evidenced by a growing number of such incidents and regulatory attention.
To avoid such incidents, councils and other public entities can implement measures such as comprehensive training programs, using detection and redaction tools, establishing sound review processes, and ensuring policy and compliance alignment to guard against easily preventable information leaks.
- The sensitive data breach incident at Islington Council, involving the revelation of residents' mental health records and experiences of domestic abuse, underscores the growing concern about data security, particularly regarding Excel's handling of sensitive health-and-wellness information.
- As public awareness around mental health continues to rise, it is essential for councils and other authorities to prioritize science-backed approaches to improve mental health, ensuring that such incidents do not compromise residents' health-and-wellness or infringe on their right to mental health privacy.
